Do you know the hidden security risks of online games?

There's a popular internet saying: "Every application has been attacked. If you think one hasn't, it's because you do not know it yet." Games, as the most profitable segment of the internet industry, suffers the highest intensity and complexity of attacks. During my years of services for users of the game industry, I have seen many times passionate entrepreneurial teams and products with unique features were strangled in the cradle by these kinds of internet attacks. I have also seen a very stable product suffer from irreversible damages to its reputation because of an elementary system vulnerability that resulted in user data leakage and tampering. Alibaba Cloud Security team has summarized the game industry's security issues roughly as follows:DDoS attacksIt remains the top threat against the online game industry. In 2016, the global recorded DDoS peak approached 600 GB, and DDoS attacks of more than 300 GB are not rare at all in the game industry. The low attack cost, namely 1/N of the defending cost, results in an extreme imbalance between the offensive and defensive parties. The attacks are getting more and more complex, with more and more attack points, and the basic static protection policies cannot achieve a satisfactory result.Cracking and plug-insThe purposes of cracking and plug-ins are mostly achieved exploiting the security vulnerabilities of the game client or server, or through spreading Trojans via game communities or built-in communication channels. The attack means include common plug-ins that require no gaming clients, plug-ins, and offline plug-in programs, as well as changing the normal game data, which affects the game balance and ultimately has significant impact on the game's operation.Spam registration, game account theft and so onA large number of alt accounts are registered to earn premiums for new accounts or to increase in-game currency and items. Automated library scans or hits are used to steal accounts. Some channel vendors cheat traffic-counters using simulators…Mobile growth trendThe rapid growth of mobile terminals increasingly highlights the importance of mobile security.Games are placing more and more emphasis on quality, and it is becoming increasingly rare to profit through superficial changes. The phase in which higher bandwidth is much sought after and game security relies on individual protection products or protective policies is long gone. Current security policies involve a full-network collection of security information, a large amount of targeted defense-protection real-combat exercises and all-round protection. Of course, all of these require a simple user interface and sound cost effectiveness. Let’s discuss about:1. In addition to traffic flooding attacks, what other problems do you know that will seriously affect the security of game operations? 2. What security problems have you experienced in person? How did you solve them, and what are the results? 3. Do you understand the overall security and hidden risks of the game businesses you manage? Is there a pre-plan in place? 4. What are your opinions and suggestions for the industry's security services and security solutions?

Latest likes:

Although the current application development tends to emphasize more on web applications, a lot of large-scale software also uses existing frameworks. With the improvement of existing frameworks and engines, a vast majority of security issues have been resolved. But when faced with some customization needs, developers still have to design bit by bit from the ground up. At this time, developers with no security experience easily make mistakes, leading to serious security risks. This article takes a large-scale online game with a self-developed engine as an example to demonstrate hidden issues that are easily ignored during development. There are too many security issues that are easily overlooked during the development process, and a vast majority of the issues are caused by too much trust, such as trusting the code of colleagues, developers’ own code, the legitimacy of the source of the call, and users' operations. Too much trust across the board shouldn't be the norm, as it leaves holes open for attacks. Development is a creative job at the roots, and we should be skeptical rather than trust it. Questioning everything may not increase development efficiency, but it can save the whole system at crucial moments.

The issues mainly involve the following aspects: 1. Login authenticationAlmost all web games are operated in the form of multimodal transport, which means that the game server itself does not save the user password. The user should log on to the platform to log onto the game through the interface between the platform and the game server. The interface implements encryption authentication, so security issues regarding the webpage game account and password will not be mentioned here. Attention should also be paid to the security of the hash string for login authentication, such as the effective time of the login hash string, the source of the encryption parameters for the hash string, including the user name, login IP address, browser user-agent and other data to prevent the modified hash from being leaked. Otherwise, it is very difficult to pass server verification. 2. Game top-upThe top-up procedures for webpage games are consistent with the top-up procedures for general webpages. There is nothing special. But there is a difference in that it is imperative to connect to the interfaces of each company during joint operation with other numerous platforms. The interface specifications vary a lot and game vendors have no right to speak but only to follow their interface specifications, which is tricky. 3. Reference of remote filesThe development of most webpage games use the framework, that is, using REQUEST parameters as a part of the request file, which easily leads to a vulnerability involving remote file reference. In our previous games, we've experienced this loophole. 4. SQL injectionThe principles and methods of SQL injection are the same as with ordinary web applications. Only the filter processing is needed during the use of REQUEST parameters. The message formats and the injection operations are simple, which will mislead R&D personnel, and thus are easily ignored. Take the AMF message format of our projects for example. Before the emergence of front-end interfaces, we backend programmers generally used Pinta to simulate the operation and debug programs. After the front-end interface is launched, Charles proxy will be used to capture HTTP requests. In these processes, the structures of request interfaces and parameters are not as simple as in ordinary web cases. R&D personnel also easily ignore filtering the request parameters, which is why such issues are so rampant. 5. Communication protocol and message formatWebpage games, despite the name, do not only involve HTTP communication protocols. There are also many socket applications, and HTTP + socket combinations. With regard to the choice of HTTP and HTTPS, after SSL is enabled, the large number of SSL decryption and encryption operations is bound to cause an enormous increase in the CPU computing pressure on servers. The majority of transmitted content is gaming business operations and responses which can be listened to or sniffed (except for certification information). This may be incomprehensible from the security point of view, but it is understandable from the product point of view, considering the input and output and then selecting HTTP communication. In addition to the application in chat applications, sockets are also used to push data in scenarios where data or information synchronization is required between multiple players for team or clan fights in games. When sockets are used as the transmission protocol for all businesses, the protocol formats are generally open-source, such as msgpack, protobuf and the like, or custom protocols. When using a custom protocol, make sure to check each parameter and the type range of the entire message packet to avoid individual ultra-large values or boundary values which may result in memory out-of-bounds exceptions of the main program and service downtime or unavailability at large.

1. In addition to traffic flooding attacks, what other problems do you know of that will seriously affect the security of game operations? I am an experienced player of various global-scale games such as WOW and DIABLO3. In addition to traffic flooding attacks, all these world-class games once experienced issues in data and program security. The issues were mainly embodied in account theft, fraud within the game and the capitalization on program bugs.2. What security problems have you experienced in person? How did you solve them, and what are the results? I myself am a developer so my account has never been stolen, but I've often witnessed the theft of my teammates' accounts. However, I was cheated once when buying game cards in the game, and the seller swindled me using a stolen account. Of course, I learned from this experience and have never been cheated again. As for program bugs, it is relatively simple to handle. Once you find a bug, do not exploit it, but to report it to the customer service. When others profit from exploits, generally the operator will determine the severity. If the case is very serious, the punishment is usually game data rollback.3. Do you understand the overall security and hidden risks of the game businesses you manage? Is there a pre-plan in place? Game products have a large user base, a high frequency, and complicated business structures. It is normal to have bugs. Responding appropriately is the main consideration. Generally big game companies will have a set of corresponding response plans, just like the set of product pre-plans of internet companies. 4. What are your opinions and suggestions for the industry's security services and security solutions? Since bugs are inevitable, the only choice left is to reduce the impact caused by bugs in gaming rules to deprive users from the benefits of exploiting bugs in the first place. For example, restrictions on transactions of various items and equipment can greatly reduce the negative impact of security issues on the game operation.

Online game players' accounts are stolen by malicious means, their equipment is stolen and sold, and the in-game currency is offered at an extremely low price by informal companies. All kinds of informal game operations cause a huge impact on the operation of online game companies. Regular game players are treated unfairly – they might spend a lot of time earning 1,000 game coins, but others can get the 1,000 game coins with just a few bucks. The large disparity in the price paid forces some players to embark on the "convenient" road. Today, many hackers are specializing in the study of game program loopholes, and a considerable number of hackers are grabbing profits in not-so-strict but absolutely confidential groups. How is the theft of online game equipment manipulated? How do for-profit hackers work together? Those involved in game equipment theft and reselling online have formed well-knit circles which are similar to companies, but they are not actually companies. Since there is no domestic laws and regulations on network currencies, they walk on the edge of the law, earning high profits without paying taxes. Such a circle is generally composed of two parties: one is responsible for the technical aspects, that is, to obtain equipment, and the other is responsible for selling the equipment obtained by the first party. Some hackers steal online game user accounts and equipment in an organized way, and what they steal is usually top equipment. The composition of the hacker group is relatively simple, and looking for hackers is actually not as hard as people think. Insiders all know that some hackers can be found on some websites focusing on hacking technology discussions. The reason for one to become a hacker is, first of all, out of his or her love for technologies. What follows are their desires to pry into privacy. Some young hackers may hack some websites for the purpose of showing off during their early hacker years, which has also provided some clues for online currency/property dealers which are constantly searching for hackers to provide them with loot.

1. A waste of time. 2. Easy to get people addicted (this depends on the individual's self-control).3. Failure to find the real self, and easy to lose oneself in the vanity. 4. More happy in the illusory world, so that they are confused and anxious in the real world. 5. A waste of money. 6. Easy to be exposed to some bad information 7. Easy to become lazy and reluctant to take care of things in the real life. 8. An influence on people's character, easily making them uncommunicative and short-spoken.The above phenomenon may happen to some people, but it does not mean online games are always harmful. As long as you have a clear attitude, the game is just a means of recreation and entertainment. Just face the game squarely. Arrange your own life and time. Do not take the game too seriously, and consider it dispensable.

Sometimes security problems are not as simple as what the code involves. It is more about the management problem.Code leaks from Microsoft, code leaks of Legend, and the various private servers of DOTA – all of these security issues have nothing to do with the quality of the code. However, these security issues are truly fatal.In fact, this has something to do with the boss' mindset that focuses on making money and paying no attention to the security from the beginning. That is the way it is. After all, true security requires a high cost, and many practitioners are just taking chances.If the management is good, the staff are diligent, and the company has a sound security system, a vast majority of losses will be avoided.

First, the source of game securitySecurity means no threat, danger, harm, or loss. All human beings and resources exist in harmony, with no harm to each other and no dangers or hazards. It is a status exempt from the risks of unacceptable damages. Security means the state in which possible damages arising from the system's operation on human life, property and environment are controlled within an acceptable level in the production processes of humans. Maslow's hierarchy of needs theory divides the needs into physiological, safety, belonging and love, esteem, and self-actualization needs which are arranged from the bottom up. The needs at the bottom are the basis for the needs at the top. Safety needs mainly refer to people's demands for personal security, health and well-being, resource ownership, property ownership, moral security, job security, social and family security and so on. Online games are a virtual society. What can we see if we map people's safety needs into the game? From the figure above we can see that people's demands for personal safety and health and well-being can be understood as players' demands for game account and role security in the game. The demands for property ownership correspond to the players' demands for virtual property security in the game. The demands for job security and resource ownership correspond to the players' demands for fair competitions within the game. The demands for moral security can be understood as the players' appeals for a healthy and sound public game environment. The demands for social and family security can be considered the players' demands for the overall stability of the game operation. However, security issues such as account theft, virtual property transfer, plug-ins, studios, false malicious news, and private servers in the game have seriously affected the players' demands for game security. When the players' safety needs in the game cannot be met, what will the result be? Let's look at a group of data:

From the statistical results by research institutions over the years, the game security issues, plug-ins and other issues have become primary contributors to the loss of players, seriously affecting the healthy development of the game. When the safety needs of players cannot be satisfied in the game, the loss of players is the inexorable outcome. How can we solve these problems impairing the game security to satisfy players' safety needs in the game and maintain the healthy and sound development of games? This article will conduct analysis focusing on the security issues in current online games and introduce Tencent's solutions. Second, online game security issuesSince the first large-scale multiplayer online game was launched in China in 2000, Chinese online games have witnessed great improvements after ten years of development, both in terms of the number of products and user scale. But at the same time, a series of gray industry chains of plug-ins, private servers, account theft, gold farming studios, and network information frauds multiplied, and the game security issues arising thereof have also become an important factor impairing the normal operation and development of games. Throughout the online game development history, the security issues can be roughly divided into five categories: plug-ins, account security issues, private servers, gold farming studios, and information security issues. There are also some server and O&M security issues. 2.1 Plug-insPlug-ins can be considered the primary issue impairing the normal operation of online games. Players can use plug-ins to break the balance in the game, undermine the game's normal economic system, negatively impact players' normal game experience and the income of game companies. Plug-ins gave rise to the gold farming studio issue, and Trojan viruses bound with the plug-in may lead to account security issues. The malicious publicity information of plug-ins in the game will also seriously affect the overall environment of the game. We can say that plug-ins are the root of all evil of game security issues. 2.1.1 What is a plug-in? Plug-ins: Illegal third-party programs that seriously damage the game balance, disrupt the game rules, and impair players' experience by modifying part of the game programs or data. 2.1.2 Cause of formationWhy are plug-ins so rampant despite repeated prohibitions in China? There are four main reasons as follows: 1. Players are keen on plug-insFrom Nintendo's Goldfinger to Kingsoft Knight, Game Master, and to "show me the money" in StarCraft, many veteran players are not unfamiliar with these tools which have also made many players fall into a habit of cutting corners and exploiting bugs while playing games. Plug-ins fully meet the needs of such players, and enable them to rapidly progress in the game. At the same time, a large majority of online game players are aged under 19. Players in this age bracket tend to be more rebellious in character and like to pursue different things. Plug-ins precisely enable them to have a completely different gaming experience. 2. Security deficiency in the game itselfGame developers lack security experience, and the game itself is not safe enough. A lot of game logic is placed on the client. The lack of server-side verification mechanisms also makes games prone to modification and exploitation by plug-ins. 2.1.3 Plug-in categoriesPlug-ins can be divided into the following four categories based on the implementation principles: 2.2 Account security issuesAccount theft is no stranger to anyone. The roles, equipment, and gold coins that players spent a lot of time and energy to accumulate in the game are valuable virtual properties. Once these resources are illegally stolen, the player may be lost forever. Account security issues also affect the long-term stable operation of a game to a large extent. 2.2.1 Definition of account security issuesAccount security issues: The players' game accounts are stolen through hacking Trojans, phishing or other means; the virtual properties of the stolen account may be transferred or subject to malicious operations, and other issues. 2.2.2 Cause of formationAccount security issues are mainly caused by the following four reasons: l. Lack of safety awareness of playersAlthough players are having more in-depth network security awareness with the popularity and application of networking, some still have insufficient security awareness. With bad online surfing habits coupled with the fluke mindset, players may inadvertently infect their computer with viruses while browsing some Trojan-embedded websites or opening some Trojan-embedded files, resulting in account theft. 2. The promoting role of plug-ins in the precise delivery of TrojansA vast majority of players whose game accounts are stolen once using plug-ins. Many plug-ins are bundled with Trojans. While using plug-ins, players may even take the initiative to disable their anti-virus software to ensure stable operation of the plug-in, creating an opportunity for Trojans to take advantage.3. Industrialization of account theft with Trojans High illegal incomes industrialize online game account theft, and a series of “black” profit points including QQ account theft, account selling, transfer of virtual properties, advertising, and fraud gradually come into being. This has also fattened the surrounding “gray” market of Trojan writing, account trading, and auxiliary software. Production (Trojan production), infecting (embedding Trojan to websites or programs), sales (disposal of stolen goods), and laundering (money laundering) are clearly divided. 2.2.3 Account security issue categoriesAccount security issues can be broadly divided into the following three categories: 1. Account-stealing Trojans: The Trojan viruses used to steal the player account and password. 2. Phishing: False clients, fake input boxes, and phishing websites. 3. Virtual property transfer and malicious operations after the account theft.III. SummaryWith its constant development, Tencent games are also faced with a variety of online game security issues. During the confrontation with plug-ins, hacking Trojans, false and malicious news, gold farming studios, and private servers, we mainly resort to the introduction of the self-developed Tencent game security platform and the use of various technical solutions to solve security issues in a timely manner and provide support for the stable operation of games. Currently the Tencent game security platform has provided protection services for the clients of more than 30 games offered by the entire company. Tens of millions of players are enjoying a secure gaming experience provided by the security platform every day. At the same time, we can also see that many new games have improved their own security a lot; however, security is a process of confrontation with no end. As long as it is profitable, there will always be criminals who try to destroy the game. We are also prepared to make unremitting endeavors to safeguard the normal operation of games and constantly improve the experiences of players.